18 September 2018 - Seeweb discusses MANRS

1. Why MANRS is good for you
Protect others and protect your network
Marco d’Itri
<md@seeweb.it>
@rfc1036
Seeweb s.r.l.
ION Malta 2017 - 18 september 2017
1/12

2. 2/12
How did we join MANRS?
I sent an email to ISOC.
If your network is well managed then you will not need to do anything
else.
MANRS is nothing fancy and nothing new: it is the bare minimum that
everybody is supposed to have already implemented.
Why MANRS is good for you Marco d’Itri

3. 3/12
MANRS protects your network and your reputation
BGP leaks may attract enough traffic to saturate your network.
Spoofed traffic may attack your own infrastructure.
If you cause troubles due to lack of MANRS then other network
operators will laugh and/or curse at you.
Why MANRS is good for you Marco d’Itri

4. 4/12
Please filter your BGP customers
If you do not, then sooner or later they will leak, will embarass you and
maybe cause an outage for your whole network.
But this was the good scenario
You may also attract bad actors who do BGP hijackings for spamming
or other kinds of frauds.
And everybody will know.
Why MANRS is good for you Marco d’Itri

5. 5/12
Please filter spoofed traffic
If you do not then you will not know where traffic on your network
comes from.
But this was the good scenario
If you allow spoofing then people will buy your service because of this.
Do you want to be known in the industry as a business that caters to
cybercriminals?
Why MANRS is good for you Marco d’Itri

6. 6/12
Please allow others to filter your BGP announces
Sooner or later you will leak, and this may save you.
You just need to register your routes in the RIPE database.
It also saves your time by allowing automation by your transit providers.
Why MANRS is good for you Marco d’Itri

7. 7/12
What is RPSL
Routing Policy Specification Language
Is a language which allows an autonomous system to describe their
routing policy in detail and use it to generate the matching
configurations of routers.
Defined by RFC 2622 (1999) and others.
Why MANRS is good for you Marco d’Itri

8. 8/12
RPSL is complex
Defined objects:
mntner, person, role
aut-num, route, inet-rtr, filter, peering
as-set, route-set, rtr-set, filter-set,
peering-set
Please raise your hand if you have ever seen a rtr-set object.
Almost all of these objects can be ignored in practice.
Why MANRS is good for you Marco d’Itri

9. 9/12
The aut-num object
They document the relationships among autonomous systems and the
routes exchanged by them.
aut-num: AS12637
import: ...
export: ...
Their purpose is to provide information to configure your own router,
but almost nobody uses them this way.
For third parties they only have information value: you should either
keep them up to date or keep them as simple as possible.
Why MANRS is good for you Marco d’Itri

10. 10/12
The route object
A single route and the autonomous system which announces it:
route: 37.9.239.0/24
origin: AS12637
The route6 object describes IPv6 routes.
Why MANRS is good for you Marco d’Itri

11. 11/12
The as-set object
A list of autonomous systems:
as-set: AS12637:AS-CUSTOMERS
descr: Seeweb and its IPv4 customers
members: AS12637, AS31076, AS6831, AS50627
members: AS12654 # RIPE RIS Routing Beacons
Why MANRS is good for you Marco d’Itri

12. 12/12
Domande?
https://www.linux.it/ md/text/ionmalta2017-manrs.pdf
(Google . . . Marco d’Itri . . . I feel lucky)
Why MANRS is good for you Marco d’Itri